Re: UDP connection attempts
- From: "Adrian Penisoara" <ady@xxxxxxxxxxxxxx>
- Date: Wed, 19 Jul 2006 12:22:18 +0300
Hi,
$ grep "\<512/udp" /etc/services
biff 512/udp comsat #used by mail system to notify users
So basicly you got a process (most likely your local MTA) sending
notifications for incoming new mails to the comsat service (which by default
is disabled in /etc/inetd.conf).
Either adjust your firewall to allow such notifications (UDP packets
towards port 512 on subnet 127.0.0.0/8 through lo0 interface) or disable
notification from your mail delivery agent.
Best regards,
Adrian Penisoara
Ady (@freebsd.ady.ro)
On 7/19/06, George Mamalakis <mamalos@xxxxxx> wrote:
_______________________________________________
Hi everyone,
I administer this 5.2.1 Freebsd Box which runs a few services, among of
which are bind and postfix. On the same box I run ipfw as a firewall, and
have a default policy block for all incoming packets, except for those
that are for ports 53 (tcp and udp) and 25 (tcp).
I also have the following sysctl values enabled:
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
In my security logs I keep on getting the following messages:
Jul 19 03:04:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52291
Jul 19 03:25:56 ns1 kernel: Connection attempt to UDP
myexternaladdress:52299 from myexternaladdress:53
Jul 19 09:33:11 ns1 kernel: Connection attempt to UDP
myexternaladdress:52316 from myexternaladdress:53
Jul 19 10:28:32 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52328
Jul 19 11:05:49 ns1 kernel: Connection attempt to UDP 127.0.0.1:512 from
127.0.0.1:52354
I have googled these messages many times, but haven't still found a real
explanation of why these messages occur. The way I see it is that there is
no malicious behaviour behind theses messages, most probably there's
something that has to do with my firewall settings, and the keep state
option.
I present the excerpt from my firewall configuration file that relates to
the dns incoming traffic:
add 00389 allow udp from any to myexternaladdress 53 in via fxp0
keep-state
I would be greatful if someone could explain to me why these messages
keep showing, and if there is a way to prevent them from occuring in the
future.
Thank you all in advance,
mamalos
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx
"
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- UDP connection attempts
- From: George Mamalakis
- UDP connection attempts
- Prev by Date: Re: UDP connection attempts
- Next by Date: Re: UDP connection attempts
- Previous by thread: Re: UDP connection attempts
- Next by thread: Re: UDP connection attempts
- Index(es):
Relevant Pages
|
|
